Despite what you may think, IT security *is* your business

I often wonder if, early in my career, working for large, cold, faceless corporate giants, I was wasting time fighting against all hope that I could make a change in how seriously they took the security and integrity of their IT systems.

Futile as it may have seemed, I wouldn't give up that experience for anything. It provided a ton of useful insights that have allowed me to see through their eyes and provide more salient arguments to effect change.

One of the organizations I worked at had IT security issues on a daily basis: viruses, lost devices, stolen data and intellectual property walking off with recently dismissed employees.

I regularly attempted to draw management's attention to the problem, and the fact that we had all of the software, manpower and will we needed to fix it. All we had to do was adjust our attitude toward the problem.

The reply? "We aren't in the business of IT or security. We make widgets. We maximize investor returns by buying, selling and trading subsidiaries to create wealth."

Well, I have news for companies who adopt this attitude. It simply isn't true anymore.

This same company spent millions of dollars monthly maintaining their fleet of delivery trucks, the robots in their factories and even the coffee machines in the breakroom.

We once had an outage due to a power failure at a critical IT facility that cost the organization over $1 million an hour because robots needed the computers at that facility to tell them what to make. When that's the case, can you afford not to be an IT company?

In this day and age, for an organization to ignore IT security is patently irresponsible. If you really feel that way, perhaps you should take down your website, turn off the internet connection and live in a world that matches your fantasy.

What prompted this rant? According to datalossdb.org's 2011 yearly report more than 126 million personally identifiable records were compromised in 369 incidents.

As most incidents go unreported, those numbers are only the tip of the iceberg. In fact, most jurisdictions don't require organizations to report incidents, so this represents only those that are regulated and those that were "outed."

It is time to recognize that the internet is a utility, and your computers are property that you have an *obligation* to properly maintain for the safe operation of most businesses.

A perfect example of not learning or apparently caring about security very much is Care2.com. While they have finally revised their password reset process, they clearly have not embraced protecting your information.

Care2.com was compromised in December 2010 and had over 17 million user IDs and passwords stolen, all of which were stored in plain text. They even offered to email you your password. Any organization that can return existing passwords to a customer is not even trying to securely store them.

I checked out their site today to determine if they learned any lessons from the breach. While they will no longer send your password when you attempt to reset (Good!), they let me choose a password of "password" when I created my account.

Strangely, when I then tested out the password reset process it insisted on an eight character password that had to contain a numeral (which arguably lowers the entropy). Note that my prior password of "password" clearly hadn't been held to this standard. Requiring password complexity in only some circumstances and not others is pointless.

It is unclear if the passwords are now securely stored, but it almost doesn't matter. Their web server supports HTTPS, but as soon as you click a link like "Login" or "Join" it reverts to an unencrypted connection.

Yes, everything you enter into the form fields, including your user ID, birth date, password, and personal group preferences, like NAACP, GLBT Rights, Pagans and Planned Parenthood, are transmitted in plain text and easily intercepted on public WiFi.

Of course Care2.com proudly displays the TRUSTe symbol to assure you they respect and protect your privacy. I contacted TRUSTe for comment, but they have not yet returned my call.

On the other hand you have Stratfor. While they didn't learn from others' mistakes, they took the site down until they could safely bring it back online. George Friedman, their CEO, took full responsibility even stating "That's not a justification. It's simply an explanation."

If you work for one of the companies with this malady, please speak up. Make it an issue and don't let it be swept under a carpet. Make sure your management is aware of what has happened to others in your industry and make recommendations that can mitigate the risk.

While Stratfor may have lost information on 850,000+ accounts, Care2 lost almost 18 million and has still not embraced fixing the type of problems that led to their compromise to begin with.

All of us have a role to play in a more secure internet and it's high time we admit we have a problem and get on with fixing the issues as quickly as possible.

If your company has customer information, takes credit cards or has computers that use passwords then IT security is in fact your business.

6 Responses to Despite what you may think, IT security *is* your business

They have obviously some more problems with proper IT systems there. The site is inhabited by approximately 1 billion of spam bots, which set up tons of fake spam blogs (and links to these are then further distributed as spam in forums). I guess it's no coincidence that no captcha is mentioned here. Oh, and there's no real option to report that stuff, their contact form doesn't consider that.

If some IT system needs a security overhaul, then sure theirs.

Besides that, nice blog entry.

But could even be worse. Worked once as student in an institute, and they insisted on having an independent network, without having a network admin (or even considering hiring one).

I work retail IT for a big box chain. The security and general IT management is pathetic. When I tried to raise the bar on a few issues I was told almost exactly what you said, "We are not in the IT business and never will be. We are retail."

Some are finally coming around. But what I'm seeing from some businesses is "lets not be proactive because we need some projected profit we may or may not make." Then if a calamity does happen, thats when the calls come in "why didn't someone bring this up earlier? we could have allocated what was needed." Um no you wouldn't have because you didn't want to spend the $$.

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.
You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.